Security of WiFi networks

Details

Created: 27 June 2012

Security of Wi-Fi networks is based almost solely on the encryption of data traffic. Here are the most common types:

WEP

This encryption protocol uses a fairly solid RC4 algorithm with conjunction of non-static keys. There are 64 -, 128 -, 256 - and 512-bit WEP encryption strengths. The more bits - the better the security. A part of the WEP key is static (for instance 40-bit of 64-bit encryption), and the other part (24 bits) - dynamic which varies in time. The main vulnerability of the WEP protocol is that the initialization vector is repeated after a period of time, and an intruder only needs to collect and evaluate these repetitions to learn the static part of the key. In order to increase the level of network security one could add encryption using 802.1x or VPN protocols.

WPA

It is certainly a stronger encryption protocol than wep although it uses the same algorithm RC4. Increased level of security is achieved through the use of protocols TKIP and MIC.

- TKIP (Temporal Key Integrity Protocol). Dynamic keys last only minutes. Each device has a dedicated key that is also changing.

- WPA-PSK (Pre-shared key). This is quite suitable for a WiFi network at home or small office. Each wireless device encrypts the network traffic with a 256 bit key which can be entered as a key-phrase in ASCII characters

- WPA-802.1x. Logging on to the WiFi network via an authentication server. It is geared towards usage in a corporate environment.

WPA2

Naturally it is an upgraded WPA protocol. Unlike the WPA it uses a strong encryption algorithm AES. As in case with its predecessor WPA2 is also divided into two types: WPA2-PSK and WPA2-802.1x.

802.1X

It is a golden standard for WiFi Network Security which includes several protocols:

- EAP (Extensible Authentication Protocol) used in conjunction with a RADIUS server in large networks.

- TLS (Transport Layer Security). This protocol ensures the integrity and encryption of data transferred between a server and a client, and their mutual authentication preventing interception and spoofing messages.

VPN

VPN (Virtual Private Network) - Virtual Private Network. This protocol was designed to securely connect remote clients to a local network via a public network, such as the Internet. The purpose of VPN is creating a "tunnel" from a user to the site or a server. Although VPN was developed long before the Wi-Fi networks, it can be used with any type of a network. The encryption of VPN is commonly performed by IPSec as it provides a high level of security. Currently there are no known case of breaking in through IPSec / VPN. It's a natural choice for corporate networks.

Additional methods of protection

MAC address filtering.

MAC address - the unique device identifier (NIC), "wired" into a network device by a manufacturer. It's possible to restrict access to WiFi networks based on pre-defined MAC addresses. This creates an additional barrier for an attacker although not very serious - MAC addresses can be forged.

Hiding the SSID.

SSID - an identifier for your wireless network. Most wireless access points allow hiding it. So that a laptop scanning for wi-fi networks won't detect it. Yet again, it's not a serious obstacle if an attacker uses a more advanced scanner than a standard utility for Windows.

It is always a good idea to deny access to the settings of a wireless access point through its wireless network. By activating this function, one prevents access to the settings but does not protect from eavesdropping or using the network.

Now it's time to summarize how strong these layers of network security are and what's the best way to protect a WiFi network:

Protection mechanism

Reliability and strength

WEP

WEP has fundamental weaknesses which led promptly to the introduction of WPA. If it's your only option it's best to use it in conjunction with VPN or 802.1x

WPA-PSK

A step-up from WEP but still not 100% water proof, same mentality applies

WPA2-PSK

Solid only IF the security keyword is not a dictionary based password. One wouldn't want to take chances against a 2GB possible variations commonly picked by humans (imagine a truck loaded with books).

WPA2-RAIDUS

Solid however it requires a RADIUS server and thus it's NOT an option for small business

VPN

Not directly related to WiFi. This independent shield is likely to seriously frustrate a successful WiFi intruder who would just see another fence upon breaking in.

MAC filtering

MAC addresses are trivial to spoof and it's just the matter of hours of observation to derive the addresses that are permitted. It might work well against a super-model moving in next door but not against a college kid

Hidden SSID

There are means to eavesdrop on the radio traffic and unveil this secret SSID

The conclusion is simple: the best shot of protecting the security of a WiFi network (especially a corporate WiFi network!) is to pick WPA2-PSK encryption mechanism and select a secure keyphrase (Here's a simple online utility to check how good a password is. Watch out for dictionary based passwords! Ideally one should store these in a secure professional way using a free password manager)